Most SMBs have no Information Security Policies � Security Policy University: Phishing attacks are now among the top security risks for organizations. Yet, according to a recent survey of small and medium-sized businesses (SMB), a full Eighty-seven (87%) percent do not have a formal written Internet security policy for employees.
http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf